Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
White PaperCONFIGURATION COMPLIANCE FOR STORAGE,NETWORK & SERVERA Detail Review                  Abstract                 ...
Copyright © 2012 EMC Corporation. All Rights Reserved.EMC believes the information in this publication is accurate asof it...
Table of ContentsExecutive summary...........................................................................................
Executive summaryIn today’s fast changing market, organizations must be quick to respond to changesas well as be efficient...
IntroductionEMC is leading the industry in enabling companies of all sizes to progress along theirjourney to the cloud. Th...
visibility to high level executives or blend the information from IT infrastructure intothe overall compliance context.Sec...
EMC delivers Storage Configuration Advisor on hardware or virtual appliance thatincludes the application and its data repo...
•   Design, enforce and report on adherence to complex network policies. The policy    enforcement could be for the entire...
These templates are key parts of IT GRC process to make sure the network iscompliant with industry regulation such as PCI ...
•   Automating operating system, software provisioning and patching with vSphere    integrationvCenter Configuration Manag...
The key benefits of VMware vCenter Configuration Manager are:•   Policy Driven Configuration Management       o Provision ...
PlatformPlatform Approach to IT GRCOrganizations frequently rely on a document-centric, paper-based approach to riskand co...
issues, as well as improve efficiencies by applying a single process to multiple    regulations.•   Automation    Automati...
Scenario 1: Compliance Data ConsolidationConsolidating data could be a simple use case to have all IT infrastructureinform...
Scenario 2: Detail Control MappingThis scenario requires a more comprehensive mapping exercise and building of datafeeds. ...
The architecture diagram below demonstrates how different areas in Archer could bestructured.The content hierarchy starts ...
•   Automate auditing and regulatory reportingThis effort will require collaboration amongst the process owners and techni...
An advantage of using these technologies is their integration with a GRC frameworksuch as RSA Archer. Most organizations c...
One key to success is to allow time to negotiate change. People need time to digestthe impact of a new way of thinking or ...
Appendix         Table 1. PCI DSS 2.0 Applicability Matrix for EMC Storage Configuration AdvisorRequirement               ...
Device State Report provides total devices out of sync                                                     between startup...
locked.                                                    With this authentication mechanism, user accounts are          ...
NCM categorizes each event by action type, event type,                                                       severity type...
documented and logged. If a change is made without the                                                      proper approva...
Upcoming SlideShare
Loading in …5
×

Configuration Compliance For Storage, Network & Server

1,025 views

Published on

This white paper shows the benefits of integrating IT infrastructure management technologies such as Network Configuration Manager, Storage Configuration Advisor and vCenter Configuration Manager into the RSA Archer platform for Configuration Compliance.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Configuration Compliance For Storage, Network & Server

  1. 1. White PaperCONFIGURATION COMPLIANCE FOR STORAGE,NETWORK & SERVERA Detail Review Abstract This white paper explains how the Configuration Compliance solution can enable companies to ensure visibility of the IT infrastructure, automate remediation and increase efficiency. The document will show the benefits of integrating IT infrastructure management technologies such as Network Configuration Manager, Storage Configuration Advisor and vCenter Configuration Manager into the RSA Archer platform. June 2012
  2. 2. Copyright © 2012 EMC Corporation. All Rights Reserved.EMC believes the information in this publication is accurate asof its publication date. The information is subject to changewithout notice.The information in this publication is provided “as is.” EMCCorporation makes no representations or warranties of any kindwith respect to the information in this publication, andspecifically disclaims implied warranties of merchantability orfitness for a particular purpose.Use, copying, and distribution of any EMC software described inthis publication requires an applicable software license.For the most up-to-date listing of EMC product names, see EMCCorporation Trademarks on EMC.com.VMware is registered trademark VMware, Inc. in the UnitedStates and/or other jurisdictions. All other trademarks usedherein are the property of their respective owners.Part Number h10841 Configuration Compliance for Storage, Network & Server 2
  3. 3. Table of ContentsExecutive summary.................................................................................................. 4 summary.................................................................................................. ................................................................................................Audience.................................................................................................................Audience................................................................................................................. 4 ................................................................................................Introduction ............................................................................................................ 5 ............................................................................................................ ................................................................ Infrastructure Compliance Challenges ................................................................................ 5 .............................................................IT Infrastructure Configuration Management ............................................................. 6 EMC Storage Configuration Advisor .................................................................................... 6 EMC Network Configuration Manager.................................................................................. 7 VMWare vCenter Configuration Manager............................................................................. 9IT GRC as a Business Imperative ............................................................................ 11 ............................................................................ ................................ Platform Approach to IT GRC ............................................................................................. 12RSA Archer Integration Scenarios ........................................................................... 13 ........................................................................... ................................ Scenario 1: Compliance Data Consolidation ..................................................................... 14 Scenario 2: Detail Control Mapping .................................................................................. 15 ................................................................ ................................................................Recommendations ................................................................................................ 16 Focus on Quick Wins ........................................................................................................ 17 Drive Automation via Integration ...................................................................................... 17 Show the Cost Saving ....................................................................................................... 18 Make it Easy for Executives............................................................................................... 18 Involve Key Stakeholders Early ......................................................................................... 18Conclusion ............................................................................................................ 19 ............................................................................................................ ................................................................Appendix .............................................................................................................. 20 .............................................................................................................. ................................................................ Configuration Compliance for Storage, Network & Server 3
  4. 4. Executive summaryIn today’s fast changing market, organizations must be quick to respond to changesas well as be efficient and lower costs. In addition, the journey to the cloud has beendriving the IT organization toward better utilization of their infrastructure throughvirtualization of compute and storage, and optimization of networks. However, thistransformation also leads to new challenges relating to IT visibility and compliancecomplexity.What most companies need is an effective approach to governance, riskmanagement, and compliance (GRC). IT infrastructure compliance needs to be a partof the overall GRC strategy. It’s critical to address the internal complexities brought onby today’s dynamic physical and virtual data centers with both new technologies andnew ways of doing business.GRC used to start by discrete projects with focus on policy definition, manual testingof controls and minimal use of risk management models. Over the years, companiesstarted to incorporate IT risk management & IT governance with periodic testing of ITcontrols via web-based questionnaire method. Today we see the linkages betweenenterprise GRC, information GRC, and IT operations GRC becoming more transparent.Technologies are able to enable tighter integration for automated control monitoringand better management of risks.EMC, RSA and VMware are committed to expanding the benefits companies arereceiving from RSA Archer and infrastructure management software investments. TheEMC Configuration Compliance Solution provides a seamless integration of RSAArcher with:• EMC Storage Configuration Advisor (SCA)• EMC Network Configuration Manager (NCM)• VMware vCenter Configuration Manager (vCM)Most organizations are asking for help from technology vendors on addressing thecost of compliance and increasing system uptime. In many scenarios, automation isthe key to their success.AudienceThis white paper is intended for Infrastructure Administrators, Storage Administrators,Network Administrators, RSA Archer Administrators, Information Security Architects orCompliance Officers. Configuration Compliance for Storage, Network & Server 4
  5. 5. IntroductionEMC is leading the industry in enabling companies of all sizes to progress along theirjourney to the cloud. This journey can be divided into 3 phases:1. Phase 1 – Focus on hardware consolidation and virtualization of non-mission critical IT production apps.2. Phase 2 – Assess potential benefits from virtualizing mission critical apps.3. Phase 3 – Explore new opportunities to drastically enhance the speed and agility of ITThis transition, together with competitive, internal and regulatory pressure, hascreated many new challenges.Infrastructure Compliance ChallengesThe problems that both IT and Information Security teams facing are in 3 areas:• Lack of IT Visibility o $26.5B revenue lost in 2011 due to IT downtime o Infrastructure outage can cost average of $5,000 per minute• Configuration Complexity o 85% of IT problems are related to organization and technology change o 78% of outages caused by misconfigurations due to changes• Increasing Regulatory Requirements o Only 1 in 10 companies can effectively measure infrastructure complianceFirst, many organizations may not have deep visibility into the IT infrastructure fromthe security and compliance standpoint. Information is tracked via manual processesand there are days or weeks of delay. There is no integrated approach to provide more Configuration Compliance for Storage, Network & Server 5
  6. 6. visibility to high level executives or blend the information from IT infrastructure intothe overall compliance context.Second, security teams often do not realize there are better ways to collectinformation and assess risk in the organization. In many instances, it’s possible toleverage EMC and VMware technologies to collect IT data from the sourcesautomatically and perform correlation, analysis, and assessment.Third, companies spend a significant amount of time proving compliance to internaland external auditors. Without automation, manual data collection can be veryunreliable.IT Infrastructure Configuration ManagementMany tools out there may provide IT a partial picture of the infrastructure such as thechanges to server environment but not the changes to network and storageenvironment. Others may cover all infrastructure domains but do not provide prebuilttemplates, change management or remediation capabilities.This inconsistent vision of the entire infrastructure makes compliance managementand reporting a very challenging part of GRC operations. By offering completecoverage across domains, companies will have a complete vision of the state of ITinfrastructure. EMC, RSA and VMware can provide the coverage across the entireinfrastructure, providing organizations the visibility to make compliance managementan efficient, cost effective and low risk process.There is a big advantage of using EMC and VMware technologies to integrate intoexisting RSA Archer framework and enhance the values. It’s critical to have anunderstanding of the capabilities of infrastructure management tools. AdvisorEMC Storage Configuration AdvisorEMC Storage Configuration Advisor tracks and reports changes to storage resourcesand ensures that they are compliant with defined storage configuration policies.Some examples of storage policies are:• Internal configuration policies• Industry best practices• EMC E-lab interoperability• Multipath managementTable 1 in Appendix provides more examples of how organizations can utilize thistechnology for PCI DSS 2.0 compliance effort.Storage Configuration Advisor leverages agentless discovery, near-real-time changetracking, and configuration policy validation to identify issues before they can impactservice levels. It also provides change history and service analytics to help IT improveprocesses and resource planning. Finally the technology provides recommendationsacross storage infrastructure. Configuration Compliance for Storage, Network & Server 6
  7. 7. EMC delivers Storage Configuration Advisor on hardware or virtual appliance thatincludes the application and its data repositories. It uses a web-based user interfaceand employs industry-standard agentless discovery based on VMware API, WMI, SSH,SNMP, and SMI-S standards. The below diagram explains Storage ConfigurationAdvisor’s architecture.The key benefits of Storage Configuration Advisor are:• Efficient Change Monitoring and Validation o Validate host and infrastructure interoperability against defined policies o Automatically document configuration changes and violations• Lower Risk of Changes o Roll out infrastructure upgrades with continuous configuration validation o Improve MTTR by rapidly identifying changes that impact service levels• Operational Planning and Oversight o Understand current trends and their impact on change and configuration management processes o Automate documentation enabling audit readinessEMC Network Configuration ManagerEMC Network Configuration Manager helps organization keep network componentscompliant in a number of ways. Some use cases are: Configuration Compliance for Storage, Network & Server 7
  8. 8. • Design, enforce and report on adherence to complex network policies. The policy enforcement could be for the entire domain or just one network site or subnet• Leverage best-practice templates to schedule and deploy any-scale change quickly through distributed architecture and workflow capabilities• Demonstrate on demand compliance and its change/control process• Report on historical compliance of the managed infrastructure using the configuration and policies in place on the date selectedNetwork Configuration Manager has an intuitive graphical network view andautomates complex and routine engineering tasks, such as adding devices andconnections, with drag-and-drop simplicity.One important capability of Network Configuration Manager is its real-time autodiscovery of network devices and logical and physical topology information. Beingable to collect network asset information and track against enterprise compliancepolicies is a critical component of GRC operations.Another advantage of using Network Configuration Manager is that it allows the viewof configuration data, in a vendor-neutral format, using device modeling and mergesconfiguration data and device variables with best-practice templates to help ensurecompliance. This capability is delivered via the powerful Automation Library. Configuration Compliance for Storage, Network & Server 8
  9. 9. These templates are key parts of IT GRC process to make sure the network iscompliant with industry regulation such as PCI DSS 2.0 (See Table 2 in Appendix See Appendix).The key benefits of Network Configuration Manager are:• Control Network Change o One system to manage a multivendor network and ensure compliance across its entire lifecycle• Increase Operating Efficiency o Lower costs and simplify operations; increase network and service availability; and deliver services and respond to business needs faster• Ensure Network Compliance o Detect compliance states, flag violations and fix problems to reduce business riskVMWare vCenter Configuration ManagerVMware vCenter Configuration Manager is a policy-driven configuration automationsolution that detects deep virtual and physical changes and checks whether thosechanges are compliant to industry, regulatory or internal self-defined best practices. Ithelps organizations avoid configuration drift by remediating systems to bring themback into compliance. Some examples of use cases are:• Managing change• Controlling risk Configuration Compliance for Storage, Network & Server 9
  10. 10. • Automating operating system, software provisioning and patching with vSphere integrationvCenter Configuration Manager automates critical IT configuration management andcompliance processes across thousands of assets, security and configurationsettings from vSphere, VMware ESXi™ and ESX®, Windows, UNIX or Linux serversand user desktops.Table 3 in Appendix provides a full list of how organizations can use vCenterConfiguration Manager for PCI DSS 2.0.This technology is “cloud ready” as it allows IT organizations to detect changesquickly and manage host compliance across multiple VMware vCloud Director’sinstances and guests.The advantage of using vCenter Configuration Manager is its rule building capability.The Rule Wizard will help IT organizations meet internal and external standards. Configuration Compliance for Storage, Network & Server 10
  11. 11. The key benefits of VMware vCenter Configuration Manager are:• Policy Driven Configuration Management o Provision IT approved OS images & software packages o Patch to mitigate known vulnerabilities• vSphere Compliance Checker o Check a small number of VMs against vSphere hardening Guidelines• Ensuring Compliance for Hybrid Cloud Workloads o Ability to manage guest level compliance across Clouds o Certified deployment models for vCloud Service Provider PartnersIT GRC as a Business ImperativeThe emergence of IT GRC as a strategy for protecting the enterprise from IT risk whileremoving barriers to growth is the result of a number of factors:1. Demands on corporate governance2. Multi-faceted risk environment3. Growing regulatory requirements4. Disappearing boundaries in the hyper-extended enterpriseThese elements require stronger collaboration between IT and Information Security.Today, there is a need to have the transformation to a more programmatic approachwith the use of technology. Configuration Compliance for Storage, Network & Server 11
  12. 12. PlatformPlatform Approach to IT GRCOrganizations frequently rely on a document-centric, paper-based approach to riskand compliance management, rarely attending sophistication beyond electronicdocuments and spreadsheets. Aside from being error-prone and inefficient, thisapproach makes it difficult to share information, thereby reinforcing silos. RSA Archerprovides a technology architecture that integrates with EMC/VMware systems toprovide a cohesive view.The integrated solution not only provides compliance data for configuration violationsand vulnerabilities but also blends with:• Risk analytics• Loss events• Logs• Document and records retention data• Accounting and HR informationAll of this data is scattered across multiple tools and systems. RSA Archer aggregatesthe data putting risks, threats, incidents and compliance deficiencies into businesscontext and enabling prioritization of the response based on what is most significantto the organization.The key characteristics of RSA Archer platform include:• Centralized Centralized Views – A central view of risk and compliance activities provides a single lens through which stakeholders can identify threats early and prioritize Configuration Compliance for Storage, Network & Server 12
  13. 13. issues, as well as improve efficiencies by applying a single process to multiple regulations.• Automation Automation – Through automation, organizations achieve continuous risk and controls monitoring as opposed to the point-in-time spot checks of the past. Technological capabilities required include advanced risk analytics and modeling, automated controls tied to business rules engines, advanced content and process management capabilities, and embedded GRC control points.• Integrated Systems – Multiple point solutions that span different areas of the infrastructure are costly to manage, fail to deliver a holistic view of the enterprise and cannot correlate analysis to provide reliable conclusions. Integration enables management and reporting across the enterprise.• Flexibility – The platform is adaptable in order to evolve as the business evolves. Furthermore, business is able to make changes and build out applications to solve business programs without relying on costly, time-intensive custom development. IntegrationRSA Archer Integration ScenariosThere are several ways to get data from the infrastructure management tools into RSAArcher. When evaluating options, organizations should look into variables such asregulation, timeframe, goals, etc. Some of the key questions are:1. With what industry regulatory requirements must the company comply?2. At what stage of a GRC program is the company?3. What are the most urgent issues?4. What are the easy targets?The basic integration mechanism is RSA Archer’s Data Feed Manager (DFM). With EMCinfrastructure management technologies, organizations can automatically and easilycollect and evaluate vulnerability or configuration of Network, Storage and Compute.EMC Network Configuration Manager, Storage Configuration Advisor and vCenterConfiguration Manager have their discovery, scanning and analysis engine which isefficient for a particular infrastructure domain. Therefore it should be a better methodof getting data from these automated scans for compliance assessment because theyare reliable and faster than other methods. Configuration Compliance for Storage, Network & Server 13
  14. 14. Scenario 1: Compliance Data ConsolidationConsolidating data could be a simple use case to have all IT infrastructureinformation in one location. This scenario utilizes the summary reports from each ofthe management technologies and rolls everything into Archer’s dashboard. Theoverall process can be summarized in the following steps:1. Configuration management tools are setup to perform configuration checks against preset policies within those tools.2. Once the tests or checks are executed within those tools, the scanned results are summarized into summary reports.3. Each report will contain basic information such as device name, pass/fail, rule, description, etc.4. Data Feed Manager will reach out to either SQL database or .csv location and import those summary reports.5. The feeds are setup so that data is stored in either Devices or Configuration Check Results application.6. In some instances, there could be new On-Demand Applications (ODAs) because it depends on whether there is a need to pull additional data from the management tools.This method gives users more power and flexibility to map IT assets and vulnerabilitystates to defined Business Units, Regions or Criticality. For organizations that havespecific needs to track a certain area of the IT infrastructure, this method can be aquick win to provide such tracking mechanisms without manual effort or education ofconfiguration management technologies. Configuration Compliance for Storage, Network & Server 14
  15. 15. Scenario 2: Detail Control MappingThis scenario requires a more comprehensive mapping exercise and building of datafeeds. The benefit is that organizations can monitor specific controls which could beautomatically checked by the configuration management tools.Some examples of use cases are: Infrastructure Procedure Name Description Server Windows Server 2008 Windows Server 2008 Member Server Idle Member Server Idle Time Time before suspending a session should before suspending a not be longer than 15 minutes of inactivity. session When not being used, accounts should be logged off from the system console Network Disable services per The following interface services will be specified interface checked if they are disabled, if not then they will be disabled on the specified interface. • ICMP redirects • ICMP unreachable • ICMP mask reply messages • Proxy-Arp • Directed Broadcasts Storage Ensure all assets in a Install the latest releases, updates, or storage area network patches within one month of release from have latest vendor- the vendor supplied patchesIn a typical environment, there could be hundreds or thousands of control proceduressetup to automatically scan for violations. In order to ensure integration between RSAArcher and infrastructure management technologies, the following process providesan overview of how it would work:1. Each tool must be configured so that policies, rules or tests are configured and defined. For example, NCM must be set up with a test such as "Disable services per specified interface" in order to feed the result data of that rule into Archer.2. Mapping content of control procedures and the results from each tool must be done within Archers content framework prior to pulling data. This content will be mapped manually to Control Procedures.3. Devices feed will populate the Devices application with data with information such as Device Name, IP Address, Device Type, etc.4. Scan result feed will populate Configuration Check Results application with the compliance results from each tool. Configuration Compliance for Storage, Network & Server 15
  16. 16. The architecture diagram below demonstrates how different areas in Archer could bestructured.The content hierarchy starts with Authoritative Sources such as PCI, HIPAA, SOX orinternal compliance requirements. Control Standards are different aspects of eachsource and contain multiple Control Procedures for checking compliance. EachControl Procedure will detail a specific action that must be executed and result ineither Compliance or Non-Compliance.There are two ways for testing a control procedure:• Manual – A web-based questionnaire will be sent to the IT asset owner to respond.• Automated – This is where the integration happens and all tests or scans occur automatically.RecommendationsGRC implementation can vary based on industry regulations, immediate businessneeds, customer requirements or security breech events. Some organizations mightalready use IT GRC technology to align controls with departmental, corporate policiesand regulations. However, most organizations still function as silos and do not havethe right technologies or processes to measure activities, provide efficiencies, andevaluate risks.An IT GRC platform should help an organization:• Define IT policies and controls based on external and internal requirements• Manage policy content• Map policies to controls• Evaluate IT risk Configuration Compliance for Storage, Network & Server 16
  17. 17. • Automate auditing and regulatory reportingThis effort will require collaboration amongst the process owners and technicalowners in order to maintain compliance in the IT infrastructure. The integratedsolution of RSA Archer/EMC/VMware is an example of using the right tool set fordriving collaboration. In order to evaluate, the below criteria could be used forassessing each scenario: Criteria Scenario 1 Scenario 2 Compliance Data Consolidation Detail Control Mapping Scalability Good Average Granularity Generic Detail Complexity Simple Complex Feed Frequency High AverageBut, the secret to success is not just in the right platform, it’s also in the rightmanagement approach to people and processes. Win insFocus on Quick WinsAn approach to focus on early quick wins will make it easier for the organization tochange. This is applicable to starting a new IT GRC strategy or revising an existingone. Below are some examples to start with:• Focus on formalizing the risk process by taking some risk metrics from existing IT infrastructure management technologies.• Provide better visibility and awareness of risk at the senior executive level• Report on new risks which can be used to justify new security projects• Watch for inconsistency in processes, especially when it comes to control testing• Drive automated control testing for existing manual processes or even questionnaire• address compliance results which could be a very costly area when the company is fined• Bring in standardization and increase collaboration between Information Security and IT organizationsDrive Automation via IntegrationIT tools such as VMware vCenter Configuration Manager (vCM), and EMC NetworkConfiguration Manager (NCM) and Storage Configuration Advisor (SCA) help tomonitor configuration settings and measure vulnerabilities in the IT infrastructure.They collect data automatically and to perform correlations, analysis, andassessments. Configuration Compliance for Storage, Network & Server 17
  18. 18. An advantage of using these technologies is their integration with a GRC frameworksuch as RSA Archer. Most organizations collect infrastructure information manuallyeither via spreadsheet, web portal, or archiving. This process can take time and isprone to being out-of-date or unreliable due to human error. Integration with a GRCframework allows these processes to happen automatically. CostShow the Cost SavingCost savings can be achieved in many different ways after compliance processes areimplemented. The obvious value is the improvement in an organization’s externalaudit posture. Cost saving can also be translated from other metrics such as:• Percentage improvement in availability of critical business systems and processes• Reduced number of trouble tickets• Percentage of time IT staff needs to spend on problem management• Reduction in time spent planning and validating compliance with configuration best practices, security polices and industry regulations• Number of configuration violations identified• Reduction in service impacting events caused by improper configuration• Reduction in time spent remediating configuration violationsThese metrics can also help to control company budget, avoiding over-spending orunder-spending. IT GRC strategy can only work if its success is proven by improvingthe organizations capability to effectively address IT risks and economically alignprocesses.Make it Easy for ExecutivesThere is a lot of complexity behind infrastructure management technologies or ITtechnologies in general. However, their results can be used by executives if thereporting provides a simple way to roll up compliance data. A GRC framework such asRSA Archer allows quick creation of simple dashboards with information such as thecurrent state of process and control compliance, vulnerabilities, and IT asset use.Another argument for simplified compliance reporting is to meet the needs of internaland external auditors. Without automation made possible by an integratedcompliance framework, it’s very likely that the data collected is inaccurate.Involve Key Stakeholders EarlyGRC strategies can be driven from either the top-down or bottom-up. IT GRC will havemore IT-centric requirements when driven from the bottom-up. Alternatively,Enterprise GRC or eGRC will be more focused on enterprise risk and driven from top-down. Both approaches will require a certain level of coordination amongst anorganization’s IT, security, audit, and risk management teams. Configuration Compliance for Storage, Network & Server 18
  19. 19. One key to success is to allow time to negotiate change. People need time to digestthe impact of a new way of thinking or doing things and assess what it means to themand their jobs.ConclusionUnderstanding of key considerations and available options are critical to a successfulGRC implementation. With the journey to the cloud, this transformation will alsoaccelerate companies’ IT GRC journey. Therefore, the organization should have anunderstanding of in-house infrastructure technologies, their capabilities andintegration options.EMC’s infrastructure management portfolio has been helping its customers to providecomplete compliance and service assurance with the below proven results:• 80% faster problem identification• 60% faster resolution• 2X more efficient IT operationsThe values of EMC/RSA/VMware partnership provide (1) End-to-end Visibility, (2)Automated Compliance and (3) Effective Remediation: Values Features Benefits End-to-end • High Level Summary View • Summarize IT information Visibility Dashboard relative to existing compliance • IT Operation Dashboard programs • Detail Compliance Violation • Reduce time spent preparing for audit via single reporting engine Automated • Compliance Policies & • Provide compliance validation Compliance Templates and change management • Configuration Checks • Avoid manual assessment via Automation Against Policies silo processes • Internal IT Best Practice Standards Effective • Contextual Launch to Specific • Automate remediation to close Remediation Remediation Technology compliance gaps quickly with • Recommendation to Remediate minimal effortTechnology improvements not only help EMC’s customers ensure compliance but alsoprovide them competitive advantages in the market place. That means companiescan be more agile and quicker to respond to business needs while improvingefficiencies and lowering costs. Configuration Compliance for Storage, Network & Server 19
  20. 20. Appendix Table 1. PCI DSS 2.0 Applicability Matrix for EMC Storage Configuration AdvisorRequirement Controls Addressed DescriptionRequirement 2: Do not 2.2 SCA has rules for checking SAN configuration againstuse vendor-supplied industry accepted best practices and EMC Support Matrixdefaults for system (e.g. eLab) such as single initiator zoning, soft versuspasswords and other hard zoning, and default zoning.security parametersRequirement 6: Develop 6.1, 6.2 SCA discovers Solutions Enabler, PowerPath, some thirdand maintain secure party MP drivers, HBA driver and firmware, switch OS andsystems and applications firmware, and array microcode. SCA can also check SAN storage devices against EMC Support matrix rules. The integration with RSA Archer will help establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.Requirement 10: Track 10.3.2, 10.3.3, SCA tracks changes to the SAN configuration in near realand monitor all access to 10.3.6 time. Each change logged by SCA also includes date andnetwork resources and time. The name of the SAN asset is identified whencardholder data changes happen as well. Table 2. PCI DSS 2.0 Applicability Matrix for EMC Network Configuration ManagerRequirement Controls Addressed DescriptionRequirement 1: Install and 1.1.1, 1.1.2, 1.1.3, NCM is capable of accepting Syslog and Trapsmaintain a firewall 1.1.4, 1.1.5, 1.1.6, information from devices. This is to monitor the networkconfiguration to protect 1.2, 1.2.1, 1.2.2, for changes completed outside of the configurationcardholder data 1.2.3, 1.3, 1.3.1, management system. 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.8 Network diagram can also be used to validate Layer 3 connectivity. NCM reports will also define for each connection, what technology is in place such as ATM, Frame relay, and Point-to-Point. User access to secured network components are constraint by access-list. A permission scheme in NCM can be defined for users to access resources and operations needed to perform their jobs. Since only a small amount of documentation can be stored on a firewall or router, NCM supports the creation of network and device objects which can store comments or attachments. NCM templates can also be used to define best practices and tests can be created to enforce these best practices. Configuration Compliance for Storage, Network & Server 20
  21. 21. Device State Report provides total devices out of sync between startup and running configuration which could result in vulnerability. NCM templates consist of samples for implementing a DMZ with inbound / outbound traffic to only protocols that are necessary for the cardholder data environment.Requirement 2: Do not 2.1, 2.1.1, 2.2, 2.2.2, NCM has prebuilt templates for detecting defaultuse vendor-supplied 2.2.3, 2.2.4, 2.3 password of network devices or disabling unnecessarydefaults for system and insecure services and protocols. Users can definepasswords and other association of these templates with specific PCIsecurity parameters requirements. NCM allows a wide variety of communications protocols including SSH, SCP, Telnet, SNMP V1, SNMP V2c, SNMP V3, modems and terminal servers. It is recommended that whenever a device supports the secure protocols SSH, SCP and SNMP V3, they should be used. Using Secure Shell Protocol (SSH) for network device communication provides encrypted communications between the device server and devices for issuing configuration updates and polling configuration changes. Many devices are also capable of using SNMP V3 for network management. NCM provides SNMP V3 manageability using authorization and privacy protocols. SNMP V3 in conjunction with SSH, provides the highest level of security available to manage network devices.Requirement 4: Encrypt 4.1 VPN Encryption template can be used to associate withtransmission of cryptography and security protocols requirements tocardholder data across safeguard sensitive cardholder data during transmissionopen, public networks over open, public networks.Requirement 6: Develop 6.1, 6.4.1, 6.4.2 NCM can be used to prepare for OS upgrades byand maintain secure providing OS Inventory reports, and by providingsystems and applications hardware reports for verifying memory prerequisites. The NCM OS Manager can be used to deploy new OS versions to many types of network devices, including some wireless access points. For change control procedures of system components, NCM’s job description field should be used to reference change tickets and/or include full change description.Requirement 8: Assign a 8.3, 8.5.13, 8.5.14, Users can customize TACACS Server and RADIUS Serverunique ID to each person 8.5.15 templates in automation library to satisfy authenticationwith computer access requirement of remote access to the network by employees, administrators and third parties. NCM contains four different types of authentication, each of which allows the administrator to control the number of logins which a user can attempt before the account is Configuration Compliance for Storage, Network & Server 21
  22. 22. locked. With this authentication mechanism, user accounts are authenticated against an internal database in NCM, external TACACS+ server, RADIUS server or LDAP server. Administrators can set an explicit limit to the number of authentication attempts a user can have before the account is locked. The administrator should set this to less than six. When a user session is locked out in NCM, the user account will not be unlocked until explicit action is taken by the administrator to unlock the user ID. The default user session timeout in NCM is 30 minutes, after which the user’s session will automatically timeout and require a login to continue. This can be controlled through the JMX console, which ca be accessed by system administrator.Requirement 10: Track 10.1, 10.2.2, 10.2.3, NCM maintains an audit log of all device accesses made,and monitor all access to 10.2.4, 10.2.5, as well as any device change events detected on thenetwork resources and 10.2.7, 10.3.1, device via notification from the device (Syslogs, orcardholder data 10.3.2, 10.3.3, Traps), or timed configuration pull. 10.3.4, 10.3.5, 10.3.6, 10.4, 10.5, For automated audit trails, NCM logs all accesses to 10.5.1, 10.5.2, 10.6 protected resources through the user interface or API, regardless of whether the user is a system administrator or not. It exposes both AuthorizationFailedEvent and AuthorizationSucceededEvent for any logical access attempts. Many other events related to creation and deletion of system-level objects is also collected for Security System-level Objects, Device and Credentials System- level Objects, Device Containment System-level Object, Automation Library (Compliance and Standardization) System-level Objects. NCM records change of both the user who made the change and the user who approved the change in its revision history, including time stamp as detected either from the scheduled job, the change notification, or the device itself. All audit trail entries are also recorded for both success and failure status such as DeviceRevChangeFailedEvent, DeviceRevCreateFailedEvent, DeviceRevPolicyCheckFailedEvent, CommunicationRestoredEvent, etc… Configuration Compliance for Storage, Network & Server 22
  23. 23. NCM categorizes each event by action type, event type, severity type, and source type. The action type is the actual type of event, such as JobFailedEvent. To synchronize all critical system clocks and times, a template called Test For Network Time Protocol can be used. Securing audit trails to avoid altering can be done with NCM as well. Users are constrained to only see events for resources to which they have view permissions. NCM has a system-level permission named View Audit which controls whether a user may see event logs.Requirement 12: Maintain 12.1, 12.1.1 The Archer/NCM integration can be used to publish thea policy that addresses process documentation written by the user. This processinformation security for all documentation is useful not only for disseminationpersonnel across the group but also for daily review by engineers responsible for certain aspects of PCI. Users and auditors can also get a focused view of the requirements, best practices, samples and reports to help engineers address each requirement. The integration will help engineers stay well informed as to the requirements of PCI and the compliance status of the network. Table 3. PCI DSS 2.0 Applicability Matrix for VMWare vCenter Configuration ManagerRequirement Controls Addressed DescriptionRequirement 2: Do not 2.1.1, 2.2.1, 2.2.2, vCM can be used to detect, and in many circumstances,use vendor-supplied 2.2.3, 2.2.4 correct default security settings on Windows, Solaris anddefaults for system Linux systems. System security parameters can bepasswords and other configured following hardening guideline for Windows,security parameters Solaris and Linux. Admin can also remove unnecessary functionality via built-in remediation actions as well as scripted remote commands.Requirement 5: Use and 5.1, 5.2 Although vCM is not an anti-virus solution, it can be usedregularly update anti-virus to assess and report the anti-virus state of the system.software or programs This allow a determination that all systems have anti- virus software installed and running with the updated signature files.Requirement 6: Develop 6.1 vCM is able to access, download and deploy patches toand maintain secure Windows, Unix, Linux and Mac operating systems.systems and applications Assessments are customizable and can be set to verify critical patches in the past 30 days. Changes within the virtual environment are captured as well. Each change made to the configuration settings is Configuration Compliance for Storage, Network & Server 23
  24. 24. documented and logged. If a change is made without the proper approval it is alerted with a simple roll back procedure and the change is reversed. vCM is able to track changes both made through the standard change process or out of band changes conducted directly on the VMs or through another tools.Requirement 7: Restrict 7.1 vCM can be used to validate user access to data stored onaccess to cardholder data any Windows, Solaris and Linux system.by business need to knowRequirement 8: Assign a 8.1, 8.2, 8.5.1, 8.5.4, vCM has the ability to monitor access controls and reportunique ID to each person 8.5.5, 8.5.6, 8.5.9, on the following:with computer access 8.5.10, 8.5.11, • Local and domain-level users (Windows) and users with 8.5.12, 8.5.13, unique username (UNIX, Linux and Mac). 8.5.14, 8.5.15 • System password policies for expiration, length, standards, creation settings, and access attempts • Changes to user accounts, credential stores, and identifier objects to provide visibility and control over system access • User access across all the systems in the datacenter at once • Disable and remove access for terminated user accounts • Inactive accounts (which it can also disable and remove access for these user accounts) • The status of maintenance accounts and to confirm that they are disabled and configured to only be used during the times specified • Login policies, to include lockout settings and auto- logout settings, and remediating as needed. Assessment, reporting and remediation is conducted in accordance with scheduling through vCMRequirement 10: Track 10.2.1, 10.2.2, vCM will assess, report and remediate the following:and monitor all access to 10.2.3, 10.2.4, • Configurations of the system auditing and loggingnetwork resources and 10.2.5, 10.2.6, services to support proper logging across systemcardholder data 10.2.7, 10.4, 10.5.1, components 10.5.2, 10.5.3, • Collect audit logs entries to provide a single view of 10.5.4, 10.5.5 events • NTP settings and configuration details • User access audit trails by ensuring proper permissions for log files and their directories and alert on changes to critical audit trailsRequirement 11: Regularly 11 11.5 vCM can be configured to monitor critical files andtest security systems and provide alerts and reports detailing any changes made orprocesses attempted. Configuration Compliance for Storage, Network & Server 24

×